Contents

Use Mobile VPN with IPSec with an Android Device

Mobile devices that run Android version 4.x and higher include a native VPN client. In some cases, hardware manufacturers modify the native Android VPN client to add options, or they include their own VPN client on the device.

To make an IPSec VPN connection to a Firebox from an Android device:

  • Your VPN client must operate in Aggressive mode.
  • The Firebox must run Fireware v11.5.1 or higher.
  • The Firebox must be configured with Phase 1 and 2 transforms that are supported by the Android device.

Recent versions of the native Android VPN client use Main mode which is not compatible with Mobile VPN with IPSec. You cannot view or change the mode setting on the native Android VPN client. However, if the hardware manufacturer of your Android device modified the native VPN client, you might be able to change this setting.

If you cannot change your device settings to Aggressive mode, we recommend that you try one of these connection methods:

  • If your hardware manufacturer installed its own VPN client on your Android device, try to connect with that client if it can operate in Aggressive mode. For more information, see the documentation from the manufacturer.
  • In the settings for the native Android VPN client, configure the L2TP with IPSec option. Next, enable L2TP on your Firebox. L2TP on the Firebox uses Main mode. For more information about L2TP, see About L2TP User Authentication.
  • Install the OpenVPN SSL client on your Android device. You must manually download the SSL client profile from the SSL Portal on your Firebox. For more information about the client profile, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

Authentication and Encryption Settings

Android devices have a pre-configured list of supported VPN transforms. Unless the hardware manufacturer of your device modified the native Android VPN client, you cannot view this list or specify different default transforms. Recent Android OS versions have these default transforms:

Phase 1 — SHA2(256)–AES(256)–DH2

Phase 2 — SHA2(256)–AES(256)

Some older versions of Android OS use these default transforms:

Phase 1 — SHA1–AES(256)–DH2

Phase 2 — SHA1–AES(256)

In some cases, the hardware manufacturer of your Android device might specify different default transforms for the native Android VPN client.

To initiate a VPN connection to the Firebox, the Android device sends its default transform set to the Firebox. You must configure the Firebox with transforms supported by Android for the VPN connection to establish. We recommend that you specify the default Android transform set in your Mobile VPN with IPSec settings on the Firebox.

If you specify Firebox transforms different from the default Android transform set, the Android device sends the next transform set on its list. This process repeats until the Android device finds a transform set on its list that match the Firebox settings, or until the Android device reaches a retry limit or has no additional transforms to test.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with IPSec and Traffic Monitor.

Configure the Firebox

Before you can connect with the native Android VPN client, you must configure the Mobile VPN with IPSec settings on your Firebox.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

  • For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
  • If you use a third-party authentication server, use the instructions provided in your vendor documentation.

Configure the Native Android VPN Client

After you configure the Firebox, users in the authentication group you specified in the Mobile VPN with IPSec profile on the Firebox can use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the Firebox.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

To manually configure the native VPN client on the Android device, in Android 8.0 (Oreo):

  1. Tap Settings > Network & Internet > VPN.
  2. Tap the + button.
    The Edit VPN profile dialog box appears.
  3. In the Name text box, type a descriptive name for the VPN connection.
  4. From the Type drop-down list, select IPSec Xauth PSK.
  5. In the Server address text box, type the external IP address of the Firebox.
  6. In the IPSec identifier text box, type the group name you specified in the Mobile VPN with IPSec configuration on the Firebox.
  7. Drag the slider down to see more settings.
  8. In the IPSec pre-shared key text box, type the tunnel passphrase you specified in the Mobile VPN with IPSec configuration on the Firebox.
  9. In the Username text box, type the username for a user in the specified authentication group.
  10. In the Password text box, type the password for a user in the specified authentication group.

Screen shot of the Edit VPN Profile dialog box in Android

  1. Click Save.
    The VPN connection you created is saved to the VPN list.

Screen shot of the list of VPN connections in Android

  1. To connect, click the VPN connection you created.
    The Connect To dialog box appears.

  1. Click Connect.

To verify your connection was successful and that the VPN tunnel is active, browse to a website that shows your IP address such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the Firebox.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search